We help IT Professionals succeed at work.

Exchange 2007 Secure POP,IMAP Certificate Warning

traviskrings
traviskrings asked
on
Medium Priority
748 Views
Last Modified: 2012-05-06
I am preparing to switch to Exchange 2007 CAS servers.  I am required to allow secure POP and IMAP into the environment.  I have GoDaddy UCC certificates with the proper names, the CN of each certificate is the FQDN of the server that it is installed on (I have been under the impression that this is the proper way to do the UCC certificates).  Outlook Anywhere and OWA seem to be working fine, but when I access IMAP or POP I get a certificate warning saying the name doesn't match.  The  name it sees on the cert is the common name, but I am using mail.mydomain.com to access.  I cannot change the common name of my certs now that I have bought them to mail.mydomain.com, but I didn't think I should have to.  Does anyone know how I can fix this issue?  I am assuming the outlook client can only see the common name on the Certificate?  I tried doing a new CSR and just moving the mail.mydomain.com to the first name under domains, but it doesn't seem to matter how you order them.  Any help would be greatly appreciated.
Comment
Watch Question

Expert of the Quarter 2009
Expert of the Year 2009
Commented:
I would have set the common name to your preferred name of mail.example.com, not the server's real name. The simple rule I use is that the common name should be the name that most people will be using. Outlook Anywhere can have problems with using a different name than the common name - particularly with Outlook 2003.

Thus - it isn't the order of the additional names, but it is the common name you need to change.

The names I suggest is what I have in my blog: http://www.sembee.co.uk/archive/2008/05/30/78.aspx

You need to remember that POP3/IMAP are very old protocols, not used to the additional names in an SSL certificate, which is a fairly new thing.

-M

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Yeah I figured that was the answer I would get, but I was hoping I might get lucky and someone would  have another way.  I have my UCC certificates with GoDaddy, and I don't know if they will let me change the CN on them after I have already purchased them.  I am on the phone with them to see if they can help me with that.

Hopefully I don't have any Outlook anywhere problems because right now it is set up to use a different name than the mail.domain.com.  When it was originally set up long before me it was done with outlook.domain.com.  Hopefully I do not run into any issues with that.  What kind of issues have  you experience with the Outlook Anywhere name not being the CN?
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
Outlook 2003 simply doesn't connect if the common name is not the same name that is put in the mutual authentication box. That is the main problem with it. Outlook 2007 seems a little more tolerant.

-M

Author

Commented:
GoDaddy initially told me I could order 4 certificates with the Same CN for each of my servers, but that was not correct.  I had to switch to 1 certificate with more SAN names and cover everything with 1.  I am waiting for verification so I can download and install.  After installing I will verify that my POP and IMAP work after changing the CN to mail.domain.com.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
Sounds like there is still some confusion with the SSL certificate requirements for Exchange 2007. I had at one point a major certificate supplier pointing people to my blog posting regarding certificates, which simply astounded me!

-M

Author

Commented:
I redid the certificate with mail.ciber.com as the CN and all Subject Alternative names under one certificate for all 4 servers.  This has done the trick for the warning with secure POP and IMAP.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.